jordan/rdev

Fork 0

Commit Graph

Author	SHA1	Message	Date
jordan	538ea57ed4	feat: Add claude-config API, security hardening, and testing infrastructure Claude Config API (v0.6): - Add CRUD endpoints for commands, skills, and agents - Commands/skills/agents stored in /workspace/.claude/ (per-project, in git) - Credentials shared via PVC at /root/.claude/ (shared across pods) - Use base64 encoding for file writes (prevents shell injection) - Add content size limits (1MB max) Security Hardening: - Add sanitize package for command/prompt validation - Add rate limiting middleware (token bucket algorithm) - Add concurrent command limiting - Add input sanitization to all command handlers - Gitignore secrets.yaml and credentials.yaml - Add *.example templates for secrets Testing Infrastructure: - Add testutil package with mocks and fixtures - Add unit tests for auth package (63% coverage) - Add unit tests for executor (47% coverage) - Add handler integration tests (40% coverage) - Add 100% coverage for sanitize, cmdlimit packages - Add 96% coverage for ratelimit package Infrastructure: - Shared Claude credentials PVC (ReadWriteMany) - Reduced workspace PVC size from 20Gi to 5Gi - Add init container cleanup before git clone - Document Longhorn RWX requirements Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-25 01:29:13 -07:00
jordan	d2de49a591	feat: Add API key authentication with auto-migrations Implements API key authentication for all rdev endpoints: ## Database (internal/db) - Auto-migrating postgres connection - Embedded SQL migrations via go:embed - api_keys table with scopes, expiration, project restrictions ## Auth Package (internal/auth) - Key generation: rdev_sk_<prefix>_<random> format - Scopes: projects:read, projects:execute, keys:read, keys:write, admin - SHA-256 key hashing (secrets never stored) - Expiration options: 30d, 60d, 90d, 1y, never - Middleware skips /health, /ready, /docs, /openapi.json ## Key Management API - GET /keys - List keys (keys:read) - POST /keys - Create key (keys:write) - GET /keys/{id} - Get key details (keys:read) - DELETE /keys/{id} - Revoke key (keys:write) ## Environment Variables - DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_NAME - RDEV_ADMIN_KEY - Super admin key for bootstrapping Version bumped to 0.5.0. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-24 21:26:26 -07:00

Author

SHA1

Message

Date

jordan

538ea57ed4

feat: Add claude-config API, security hardening, and testing infrastructure

Claude Config API (v0.6):
- Add CRUD endpoints for commands, skills, and agents
- Commands/skills/agents stored in /workspace/.claude/ (per-project, in git)
- Credentials shared via PVC at /root/.claude/ (shared across pods)
- Use base64 encoding for file writes (prevents shell injection)
- Add content size limits (1MB max)

Security Hardening:
- Add sanitize package for command/prompt validation
- Add rate limiting middleware (token bucket algorithm)
- Add concurrent command limiting
- Add input sanitization to all command handlers
- Gitignore secrets.yaml and credentials.yaml
- Add *.example templates for secrets

Testing Infrastructure:
- Add testutil package with mocks and fixtures
- Add unit tests for auth package (63% coverage)
- Add unit tests for executor (47% coverage)
- Add handler integration tests (40% coverage)
- Add 100% coverage for sanitize, cmdlimit packages
- Add 96% coverage for ratelimit package

Infrastructure:
- Shared Claude credentials PVC (ReadWriteMany)
- Reduced workspace PVC size from 20Gi to 5Gi
- Add init container cleanup before git clone
- Document Longhorn RWX requirements

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-25 01:29:13 -07:00

jordan

d2de49a591

feat: Add API key authentication with auto-migrations

Implements API key authentication for all rdev endpoints:

## Database (internal/db)
- Auto-migrating postgres connection
- Embedded SQL migrations via go:embed
- api_keys table with scopes, expiration, project restrictions

## Auth Package (internal/auth)
- Key generation: rdev_sk_<prefix>_<random> format
- Scopes: projects:read, projects:execute, keys:read, keys:write, admin
- SHA-256 key hashing (secrets never stored)
- Expiration options: 30d, 60d, 90d, 1y, never
- Middleware skips /health, /ready, /docs, /openapi.json

## Key Management API
- GET /keys - List keys (keys:read)
- POST /keys - Create key (keys:write)
- GET /keys/{id} - Get key details (keys:read)
- DELETE /keys/{id} - Revoke key (keys:write)

## Environment Variables
- DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_NAME
- RDEV_ADMIN_KEY - Super admin key for bootstrapping

Version bumped to 0.5.0.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-24 21:26:26 -07:00

2 Commits